SAP Authorizations Permissions and User Root Sets Evaluations

Direkt zum Seiteninhalt
Permissions and User Root Sets Evaluations
Define security policy for users
You can implement the first request for additional verifications when performing document transactions by using document validation. In this example, we assume that the document is posted through an interface and that you want to check permissions for custom authorization objects and/or certain data constellations. There are different dates for document validation. The complete document can always be validated, if only the information from document header (time 1) or document position (time 2) is available to you, this can also be sufficient depending on the scenario. In such cases, you need to create validation at the appropriate times. Before you can write a User-Exit in a validation, you have to make some preparations.

Since the maintenance effort would be too great if individual authorizations were entered in the user master record, authorizations can be combined into authorization profiles. Changes to access rights take effect for all users who have entered the profile in the master record.
Consolidate user-level role mapping
Unlike the EWA, the SOS is able to list users that require extensive permissions. So you can maintain a whitelist. We recommend that you deal with the results of the SOS as follows: Verify that all identified users require critical permission. Complete the users who need this permission in the whitelist. Remove this permission from other users.

By correcting SAP Note 1692243, you can now also use the report in a ZBV (Central User Management) environment; It is no longer limited to individual clients. If the role assignment of the ZBV in the SCUM transaction is set to global, it is sufficient if the correction is recorded in the central client. Then it is only possible to execute the report in the central client. Furthermore, you have the option to select the ZBV's subsidiary systems from the Receive System drop-down box in such a way that only the systems in which the role assignment is to be consolidated or deleted are taken into account. In the results list of the consolidated role assignment, you will now be listed in the ZBV-System column the subsidiary systems where consolidation or deletion took place.

The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".

The website www.sap-corner.de offers many useful information about SAP basis.


Permission values in PFCG roles are maintained and debugging requires the use of the system trace for permissions.

The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.


In order to ensure that you can set the mixing mode for the respective roles directly when maintaining the data in the transaction SU24, the function has been provided here with the respective support packages named in SAP Note 1896191.
Zurück zum Seiteninhalt